After 13 years, critical infrastructure security still lacking

By William Jackson

Jul 27, 2011

After 13 years of presidential directives, legislation and
cybersecurity initiatives, threats to the nation’s critical
infrastructure continue to grow, members of a panel of government
officials told a subcommittee of the House Energy and Commerce Committee
subcommittee July 26.

“Despite the actions taken by several successive administrations and
the executive branch agencies, significant challenges remain to
enhancing the protection of cyber-reliant critical infrastructures,”
Gregory Wilshusen, the Government Accountability Office’s director of
information security issues, said in a prepared statement to the
Oversight and Investigations Subcommittee.

GAO designated federal information security as a high-risk area in
1997. It has remained on the list since, and the category was expanded
in 2003 to include security of information systems supporting critical
infrastructure. When the latest biennial list of high-risk programs was
released in February, federal and critical infrastructure IT security
again was there.

Critical infrastructure includes, among other things, the nation’s
financial systems, telecommunications networks, and energy production
and transmission facilities, most of which are owned by the private
sector. Their critical status and private ownership requires a level of
partnership and cooperation to secure them that government has struggled
to establish, with the Homeland Security Department as the focal point.

“The United States faces a combination of known and unknown
vulnerabilities, strong and rapidly expanding adversary capabilities,
and a lack of comprehensive threat and vulnerability awareness,” DHS
officials wrote in prepared testimony.

Roberta Stempfley, DHS acting assistant secretary in the Office of
Cyber Security and Communications, and Sean McGurk, director of the
National Cybersecurity and Communications Integration Center, described
the department’s efforts to work with industry.

“Initiating technical assistance with a private company to provide
analysis and mitigation advice is a sensitive endeavor — one that
requires trust and strict confidentiality,” they wrote. “Within our
analysis and warning mission space, DHS has a proven ability to provide
that level of trust and confidence in the engagement.”

However, the department has no regulatory authority and relies on
voluntary cooperation from the private sector, and security has lagged
behind rapidly evolving and growing cyber threats.

Protecting privately owned critical infrastructure was identified as priority in President Decision Directive 63, released in May 1998, which led to the establishment of industry sector Information Sharing and Analysis Centers.

DHS was created and given responsibility for critical infrastructure
protection in 2002, and was given the lead for civilian and private
sector security in the 2003 National Strategy to Secure Cyberspace.

These efforts are offset by a litany offered by Wilshusen of
high-profile attacks against U.S. companies and systems over the last
two years. These include breaches reported in January 2010 of at least
30 technology companies, including Google, which reported the incidents,
and the discovery of Stuxnet in July. Incidents in 2011 included
numerous breaches of defense contractors and security companies in the
United States and Europe.

The United States faces a variety of adversaries in cyberspace, DHS
reported, some capable of targeting systems on which the nation depends,
with the ability to disrupt or destroy them.

Wilshusen identified these areas to protecting critical infrastructure that relies on networked technology:

Implementing actions recommended by the president’s 2009
cybersecurity policy review, which has been slower than expected because
of a lack of clear authority in executive branch departments.

Updating the national strategy for securing the information and
communications infrastructure by clearly articulating goals and
priorities, prioritizing assets and functions and improving
public-private partnerships.